For the purposes of EU Regulation No. 2016/679 (also known as the General Data Protection Regulation: “GDPR”) in relation to the protection of natural persons with respect to their personal data processing (as defined below), we inform you that the processing of the data provided by you to the Controller (as identified below) will be carried out in full compliance with the GDPR and based on the following principles:

1. Data Controller

The Data Controller is Anna Maria Cammilli Gioielli Srl, with offices in Italy, Bagno a Ripoli (FI), Via del Fornaccio, 46 E-mail [email protected], Tax Code and VAT No. 02004840480 (the “Controller”).

2. Categories of personal data processed

It is specified that "Personal Data” means any information regarding an identified or identifiable natural person (the “Data Subject”); identifiable means that the natural person can be identified, directly or indirectly, by particular reference to an identifying characteristic such as the name, an identification number, location data, an online identifying characteristic or one or more elements characteristic of your physical, physiological, genetic, mental, economic, cultural or social identity (Art. 4 GDPR).

The following categories of personal data concerning you may be collected through the various channels described in this Privacy Policy, with specific reference to the e-shop on the site (the “Site”):

  1. Contact data – name, address, landline or mobile telephone number, e-mail address, etc.;
  2. Other personal data – information you provide us concerning your date of birth, education or professional situation, tax code, bank account details, credit card number, etc.;
  3. Use of the Site and receipt of communications – information about methods employed to our sites, open or forward our communications, including the information gathered by means of cookies and other tracking technologies (our Cookie Policy can be found at the following link:

3. Purpose and Legal Basis of the Processing

Personal Data collected is used by the Controller for the purposes and in accordance with the legal principles indicated below:

  • In order to supply the products and services requested by the client in a timely and accurate manner, including in order to enter into online sales transaction exclusively on the Site in accordance with the terms of sale found in the e-shop section of the Site; in this case, processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Art. 6(c)(1)(b));
  • To comply with the legal, administrative, accounting and financial obligations arising out of any present or future legal relationship with the Controller and associated incidental activities, and to comply with all the Community/international statutory, regulatory and/or normative obligations; in this case, processing is necessary for compliance with a legal obligation to which the Controller is subject (GDPR Art. 6(c)(1)(c));
  • To provide support services, including after-sales warranty and support services and associated incidental activities, including verification of the customer satisfaction level; in this case, processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract (GDPR Art. 6(c)(1)(b));
  • To inform the clients about the activities and products offered on the Site by sending commercial communications by e-mail; in this case, processing is necessary for the purposes of the legitimate interest pursued by the Controller or by third parties (GDPR Art. 6(c)(1)(f));
  • To inform the users about the activities and products offered on the Site by sending commercial communications by e-mail; in this case, processing is based on the fact that the Data Subject has given consent of an optional nature to the processing of their Personal Data for one or more specific purposes (GDPR Art. 6(c)(1)(a);
  • To conduct profiling activities on the Data Subjects (based on characteristics, behaviours, choices and habits) for the purpose of providing personalised services or promotions addressed to them; in this case, processing is based on the fact that the data subject has expressed consent of an optional nature to the processing of their Personal Data for one or more specific purposes (GDPR Art. 6(c)(1)(a)).

It is specified that such consent may be given personally only by a Data Subject who has reached 14 years of age. If the minor is under 14 years of age, the processing is lawful only if such consent was given or authorised by the parental guardian.

4. Processing Methods and Security Measures

The Personal Data processing shall comply with the principles of accuracy, lawfulness and transparency and be performed with computer hardware or with paper files suitable for the management and transmission of such Personal Data. Processing shall be performed by means of appropriate instruments, according to the state of the art insofar as reasonably required, to ensure security and confidentiality through the use of suitable procedures that prevent the risk of loss, unauthorised access, as well as unlawful use and dissemination.

The Site may contain links to third-party websites or platforms. The Controller cannot control or be held responsible for the conduct of such third-party websites or platforms with respect to personal data protection legislation. Please view the privacy policies on third-party websites to check the methods they use to collect and store or process Personal Data.

In the settings and processing carried out through the Site, security measures are taken to avoid loss, destruction or leaks of personal data. Nevertheless, natural security risks for Personal Data related to online transmission of Personal Data cannot be ruled out with absolute certainty.

5. Processors

To pursue the purposes indicated above, the Controller may communicate and have processed, in Italy and abroad, personal data supplied by you to third parties that the Controller will entrust with processing the personal data on your behalf.

The Controller shall only make use of such Processors as provide sufficient assurances of taking adequate technical and organisational measures to ensure that the processing meets the legal requirements and that the Data Subject’s rights are protected.

The Controller shall share with the Processors only such personal data as is strictly necessary for the Processors to be able to perform their own functions and provide the services requested by the Controller in connection with the activities concerning the Data Subjects.

The Controller undertakes to ensure that the personal data processing by a Processor is regulated by a contract or other legal instrument that binds the Processor to the Controller and stipulates the regulated subject matter and the duration of the processing, the nature and the purpose of the processing, the type of personal data and the categories of Data Subjects, as well as the rights and obligations of the Controller.

Moreover, the personal data may be disclosed to the competent public bodies and authorities where required by law and/or to third parties for the exercise of a right in court based on the provisions of the GDPR.

To find out the categories of Controllers to which personal data may be disclosed, please contact the Controller at the following e-mail address: [email protected]

6. Transferring Personal Data outside the European Union

In the context of its contractual relationships, the Controller may transfer the Personal Data processed to countries outside the territory of the European Economic Area (EEA), including by storing such data in databases managed by entities acting on the Controller's behalf. The management of the databases and the personal data processing shall correspond to the purposes of the processing and be carried out in compliance with the laws applicable to personal data protection.

In case the Personal Data is transferred outside the EEA to countries for which no EU Commission adequacy decision has been adopted, or the processing outside the EEA is not necessary to perform the contractual services for the Data Subject, the Controller shall take all appropriate contractual measures to ensure adequate protection of the Personal Data, including agreements based on the standard contractual clauses adopted by the EU Commission to govern the transfer of Personal Data outside the EEA

7. Retention of the Personal Data

The Controller shall retain the Personal Data only as long as necessary to achieve the purposes for which the data was collected or for any other related legitimate purpose (e.g. where relevant to a defence against claims asserted against the Controller or where there is a legitimate interest). In case consent is withdrawn, the personal data may still be retained in order to manage any disputes and/or litigations.

Without prejudice to the right to be forgotten to the extent provided for by law, if the retention of Personal Data is no longer permitted or provided for by law, the maximum period of retention of the Personal Data shall be seven (7) years after the date of the Data Subject's most recent interaction with the Site.

8. Rights of the Data Subjects

We remind you that each Data Subject may exercise his or her own personal data protection rights at any time.

In particular, the Data Subject is entitled to:

  • receive clear information free of charge concerning the personal data processed and retained by the Controller, including the right to know which Data is collected and how it is processed;
  • request modification of the Personal Data in case it is out of date or incorrect;
  • request the erasure of the Personal Data, within the limits established by law;
  • limit the processing of the Personal Data provided;
  • receive in a structured, commonly used and machine-readable format such of the Personal Data regarding the Data Subject's as he/she has supplied to a controller and is entitled to transmit to another controller without being hindered by the controller to which he/she supplied such data;
  • object to the processing of the personal data;
  • withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent that was given prior to its withdrawal;
  • to file a complaint with the competent supervisory authority.

Such rights may be exercised by e-mailing a written communication to the following address: [email protected]